Kingsoft guard (affected version & amp; lt; = 1.5.0.1147) ksafebc. sys kernel driver backdoor exploitation vulnerability and repair

Article Title: Kingsoft guard ksafebc. sys kernel driver backdoor exploitation Vulnerability
Author: ZzAge [LCG] [80DFJ] [DST]
E-mail: zzage@163.com

I love to crack [LCG]: http://www.52pojie.net
[80DFJ]: http://www.80dfj.org
Dark Group Security Technology Forum [DST]: http://forum.darkst.com

Affected Versions: Kingsoft guard <= 1.5.0.1147
File Name: Ksafebc. sys <= 1.4.0.1124
MD5: 61fe31b0a815197db8508580a0ac8dce
File Signature: Kingsoft Security Co., Ltd

(Kingsoft has officially updated this vulnerability)

Cause: Ksafebc. sys is a BOOT-level driver. After the driver is started, the driver checks whether "KSafeFileBootClean. config "," KSafeFileBootOccupy. config "," KSafeFileBootReplace. if the three configuration files exist, the data in the configuration file will be read and related functions will be implemented! However, because the method for detecting and encrypting configuration files is relatively simple, and there is no other verification method, as long as a configuration file is forged, the file operation function can be simply implemented! Because the driver is at the Boot level and the loading time is relatively early, you can use it to delete, replace, and occupy any file!

KSafeFileBootClean. config
KSafeFileBootOccupy. config
KSafeFileBootReplace. config file replacement function configuration file

Example: KSafeFileBootClean. config

. Text: 00011B60 push ebp
. Text: 00011B61 mov ebp, esp
. Text: 00011B63 push 0 FFFFFFFFh
. Text: 00011B65 push offset dword_12840
. Text: 00011B6A push offset _ effect_handler3
. Text: 00011B6F mov eax, large fs: 0
. Text: 00011B75 push eax
. Text: 00011B76 mov large fs: 0, esp
. Text: 00011B7D add esp, 0FFFFFFD8h
. Text: 00011B80 push ebx
. Text: 00011B81 push esi
. Text: 00011B82 push edi
. Text: 00011B83 mov [ebp + var_18], esp
. Text: 00011B86 mov [ebp + var_34], 0C0000001h
. Text: 00011B8D mov [ebp + var_28], 0
. Text: 00011B94 mov [ebp + P], 0
. Text: 00011B9B mov [ebp + var_2C], 0
. Text: 00011BA2 mov [ebp + var_21], 0
. Text: 00011BA6 mov [ebp + var_20], 0
. Text: 00011BAD mov [ebp + var_1C], 0
. Text: 00011BB4 mov [ebp + var_35], 0
. Text: 00011BB8 mov eax, [ebp + SourceString]
// Open the configuration file and return the file handle hFile
. Text: 00011BBB push eax; SourceString
. Text: 00011BBC call sub_12620
. Text: 00011BC1 mov [ebp + var_35], al
. Text: 00011BC4 movzx ecx, [ebp + var_35]
. Text: 00011BC8 test ecx, ecx
// Determine whether hFile is zero
. Text: 00011BCA jnz short loc_11BD8
. Text: 00011BCC mov [ebp + var_34], 0
. Text: 00011BD3 jmp loc_11CA7
. Text: 00011BD8 ;---------------------------------------------------------------------------
. Text: 00011BD8
. Text: 00011BD8 loc_11BD8:; code xref: sub_11B60 + 6Aj
. Text: 00011BD8 lea edx, [ebp + var_2C]
. Text: 00011BDB push edx; int
. Text: 00011BDC lea eax, [ebp + P]
. Text: 00011BDF push eax; int
. Text: 00011BE0 mov ecx, [ebp + SourceString]
. Text: 00011BE3 push ecx; SourceString
// Read the data in the configuration file and return the address and file size of the data read.
. Text: 00011BE4 call sub_12670
. Text: 00011BE9 mov [ebp + var_34], eax
. Text: 00011BEC cmp [ebp + var_34], 0
. Text: 00011BF0 & nb